Security

Effective 2026-05-28 · DUEX (duex.app) · Toronto, Canada

DUEX is in an early private-pilot phase. This page describes, in plain language, how we handle data, access, and incidents for pilot conversations.

DUEX has not yet completed SOC 2 or ISO 27001 certification and does not currently claim HIPAA compliance. We operate today to the SOC 2 Security Trust Services Criteria across access control, encryption, change management, logging, and incident response. We can share a completed CAIQ-Lite or SIG-Lite response, our DPA, our Subprocessors list, and this Security page on request — email [email protected] to start a vendor review.

How we handle your data

Who can access your data

Transport and storage

Service hardening

Review integrity

Customer input is wrapped in a marked-out fence before it is sent to any review model, and an explicit security preamble instructs the model to treat anything between the markers as data, never as instructions. This is applied to every reviewer prompt, the synthesizer, and the audit verifier. We cannot guarantee that every adversarial input will be caught, but the fencing and security preamble materially reduce the prompt-injection risk.

Every review is checked by an independent cross-provider audit model that re-reads the deal input, the four reviewer perspectives, and the final memo, and flags math errors, fabricated facts (numbers or policies not in your input), internal contradictions, or hedging. Reviews that fail the audit on a material issue are refined once before they ship; the audit result is shown on the response. This is a product feature, but it is also a privacy/security control — the second model is from a different provider, so a single provider's outage or model defect cannot silently degrade output quality.

Vulnerability management and patching

DUEX uses dependency scanning on our application code, enforces pre-deployment review of all changes, and applies security updates on a risk-prioritized basis. Critical vulnerabilities that affect pilot data are reviewed promptly and remediated or mitigated as soon as reasonably practicable.

Logs and backups

DUEX uses operational logs (request timings, errors, model selections, cost per review) for security, debugging, and reliability. We avoid logging full customer deal content in our runtime logs. Logs are typically retained up to 90 days unless needed for an investigation. Pilot data is deleted from active systems within 30 days after the pilot ends or on your written request — whichever comes first; copies may remain in encrypted backups until they expire under normal cycles, unless earlier deletion is technically feasible.

DUEX maintains daily encrypted backups of the production database, and a documented disaster-recovery plan designed to restore core service functionality promptly in the event of an infrastructure failure.

Incidents

Reporting a security issue

If you think you have found a security issue in DUEX, email [email protected] with the affected web pages, how to make the issue happen again, and what the impact is. Please do not include third-party personal data or customer deal data in your first report.

Safe harbor. If you act in good faith — testing only your own account or test data, not exfiltrating customer data, not running destructive tests, and giving us a reasonable chance to respond — we will not pursue legal action against you for the report. We aim to acknowledge security reports within two business days.

Changes

This page evolves with the product. The effective date above reflects the most recent revision.